openLDAP hirachie ACL
Hey i actually try to Setup a ACL with a group hirarchy for my openLDAP.
I have a DIT looking like this:
->dc=myldap,dc=de
-------------->ou=GROUP
--------------------------->ou=subgroup1
----------------------------------------->ou=Admin
----------------------------------------->ou=subsubgroup1
----------------------------------------->ou=subsubgroup2
---------------------------------------------------------->ou=Admin
---------------------------------------------------------->ou=subsubsubgroup1
---------------------------------------------------------->ou=subsubsubgroup2
----------------------------------------->ou=subsubgroup3
----------------------------------------->ou=subsubgroup4
--------------------------->ou=subgroup2
and so on....
I want to grant write access to each level for all users who are memberOf
the "ou=Admin" group of this level and to the direct parent of this group
but they should not see the Admin.
e.g.: ou=Admin,ou=subsubgroup2,ou=subgroup1,ou=GROUP,dc=myldap,dc=de
should have write access to:
ou=subsubgroup2,ou=subgroup1,ou=GROUP,dc=myldap,dc=de
ou=subsubsubgroup1,ou=subsubgroup2,ou=subgroup1,ou=GROUP,dc=myldap,dc=de
ou=subsubsubgroup2,ou=subsubgroup2,ou=subgroup1,ou=GROUP,dc=myldap,dc=de
The ACL i setup for this is the following:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by
dn="cn=admin,dc=myLdap,dc=de" write by * none
olcAccess: {1}to dn.base="dc=myLdap,dc=de" by users read
olcAccess: {2}to dn.regex="ou=Admin,(.+),ou=GROUP,dc=myLdap,dc=de" by * none
olcAccess: {3}to dn.exact="ou=GROUP,dc=myLdap,dc=de" by users read
olcAccess: {4}to dn.regex="ou=([^,]+),ou=GROUP,dc=myLdap,dc=de$" by
group.regex="ou=Admin,ou=$1,ou=GROUP,dc=myLdap,dc=de" write by
group.regex="ou=$1,ou=GROUP,dc=myLdap,dc=de" read by * none
olcAccess: {5}to
dn.regex="ou=([^,]+),ou=([^,]+),ou=GROUP,dc=myLdap,dc=de$" by
group.regex="ou=Admin,ou=$1,ou=$2,ou=GROUP,dc=myLdap,dc=de" write by
group.regex="ou=Admin,ou=$2,ou=GROUP,dc=myLdap,dc=de" write by by users
read
olcAccess: {7}to
dn.regex="ou=([^,]+),ou=([^,]+),ou=([^,]+),ou=GROUP,dc=myLdap,dc=de$" by
group.regex="ou=Admin,ou=$1,ou=$2,ou=$3,ou=GROUP,dc=myLdap,dc=de" write by
group.regex="ou=Admin,ou=$2,ou=$3,ou=GROUP,dc=myLdap,dc=de" write by users
read
On the first Level the ACL works fine a member of the group:
ou=Admin,ou=subgroup1,ou=GROUP,dc=myLdap,dc=de
is not able to see his own group but has write access to:
ou=subgroup1,ou=GROUP,dc=myLdap,dc=de
ou=subsubgroup1,ou=subgroup1,ou=GROUP,dc=myLdap,dc=de
ou=subsubgroup2,ou=subgroup1,ou=GROUP,dc=myLdap,dc=de
ou=subsubgroup3,ou=subgroup1,ou=GROUP,dc=myLdap,dc=de
ou=subsubgroup4,ou=subgroup1,ou=GROUP,dc=myLdap,dc=de
but at the next level i get trouble the ACL simply doesnt work at this point.
Any idea what i'm doin wrong? Is it possible what i want to do?
Looking forward for a solution.
Kind Regards
David
No comments:
Post a Comment